a8ea06d85ebf9a896a5d4fbdef5e931ed3aeb8e5b728c4d764a7e23826f7d0c8

Analysis

max time kernel
601s
max time network
363s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
23/07/2023, 17:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

baseline.profm
Size

176B
MD5

71538136611e022cf0d0f0f26f1e866a
SHA1

d121958846e1bbe602e00f07dc3eb10269d9f200
SHA256

496d7b314b7fb3f883160181030bb030e3fbed81e64b877f1f98f8a2c373188f
SHA512

7875d6d1571d69bf0af7d80e13df3f96ac525b84b8c00b95f2ceae81a0d05f84d243f7176e84c5bcd1bcb3e31b64fa080e1d04b4b36ae362cb7b9fb185ade87b

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\profm_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\profm_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\profm_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\.profm	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\.profm\ = "profm_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\profm_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\profm_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000_CLASSES\profm_auto_file\shell\Read	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1676	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1676	AcroRd32.exe
1676	AcroRd32.exe
1676	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2884	2804	cmd.exe	29
PID 2804 wrote to memory of 2884	2804	cmd.exe	29
PID 2804 wrote to memory of 2884	2804	cmd.exe	29
PID 2884 wrote to memory of 1676	2884	rundll32.exe	30
PID 2884 wrote to memory of 1676	2884	rundll32.exe	30
PID 2884 wrote to memory of 1676	2884	rundll32.exe	30
PID 2884 wrote to memory of 1676	2884	rundll32.exe	30

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\baseline.profm
1⤵
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\baseline.profm
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\baseline.profm"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
5329a13aee912095ed70d8e9dcc98295

SHA1
85c5b97359d1993f3038175a31812eaa48cc2c63

SHA256
47baf547b9780f2f335072e52e1c5266b05a9f829925e0859699a2ffba5be13b

SHA512
674ecc57188755d698c5eeeca5981a081842edb98085dc2ef3bc9df18d3785b6e11c872144793491a5af9ebee246a934238f27e156cabf2b0388c71b8c1644f3

Download Submit